OFIDS : Online Learning-Enabled and Fingerprint-Based Intrusion Detection System in Controller Area Networks

Abstract

As a widely used industrial field bus, the controller area network (CAN) lacks security mechanisms (e.g., encryption and authentication) and is vulnerable to security attacks (e.g., masquerade). A fingerprint-based intrusion detection system (IDS) in CAN networks can detect masquerade attacks by scanning the unique clock signals of CAN devices. However, most state-of-the-art fingerprint-based IDSs commonly use an analog-to-digital converter module with a low frequency of 60 MHz to sample CAN signals, lowering the detection accuracy of fingerprint-based IDSs. In addition, almost all fingerprint-based IDSs are trained offline and then detected online, ignoring that system clock signals of hardware change over time, resulting in degraded detection performance. This paper proposes an online learning-enabled and fingerprint-based IDS (OFIDS) in CAN networks to increase the sampling frequency, shorten the detection response time, and increase the detection accuracy. OFIDS uses a high-speed comparator (i.e., TLV3501) and FPGA (i.e., Xilinx ZYNQ-7010) to sample the CAN_High signal, achieving a low sampling delay time of 4.5 ns and a high sampling frequency of 1 GHz. The self-adaptability of the backpropagation neural network is taken advantage of and used to train the OFIDS model with a detection accuracy of 99.9992%. OFIDS is deployed to a CAN network prototype with five CAN devices (i.e., two Arduino UNO boards and three STM32 microcontrollers) and a real vehicle. Experimental results show that OFIDS can achieve at least 99.99% detection accuracy within 0.18μs in a CAN network prototype and can achieve 98% detection accuracy in a real vehicle.